The overall design sounds correct. It is important to highlight that not all configuration is equal though. We can break them in three categories:
* compile time - such as logger calls purging * runtime and stateful - such as Phoenix port. If you change the port configuration, Phoenix won't magically start listening on a new port * runtime and stateless - when Application.get_env is called whenever it is needed So you could either have all apps reading from your config cache or have the config system consistently read from the external service and update Application.get_env but keep in mind some changes won't be reflected unless you recompile the code or restart some services. On Tue, Mar 7, 2017 at 09:34 Dave Cottlehuber <[email protected]> wrote: > On Mon, 6 Mar 2017, at 16:23, Isak Sky wrote: > > I found some related writing about this issue in Elixir. This is from the > > docs of conform: > > > > https://hexdocs.pm/conform/getting-started.html#files-files-everywhere > > I've been pondering a similar issue:- > > How to inject passwords and more particularly, tokens with a limited > lifespan, into Elixir? We are using hashicorp's vault [1] to handle > application secrets, so my current thinking is this approach: > > - ansible provisions app / app upgrade and hands the app a master token, > scoped for this app, to a vault module > - module then uses this master token to look up various app-specific > secrets (which are time limited) > - module stores these in con_cache[2] and uses process_flag(sensitive, > true) (see [3]) to keep them out of debug/dump logs > - module is responsible for ensuring the master token is renewed every > 1/2 life of the secret time limit > - module is responsible for ensuring the subsidiary secrets is renewed > every 1/2 life of their individual time limits > - inside the app, each subsidiary system simply calls our module which > internally retrieves the latest secret from con_cache's ets table > > From an OTP dependency, I would then end up making this app one of the > first supervisors to start up, so that the remaining apps have their > secrets already available. > > I also have a similar need to pull arbitrary, changing, runtime > configuration into apps as well, not just secrets, so > ideally this sort of functionality (lookups, app cache) would be built > into Elixir directly so that any module could use it agnostically, > without having to know that these secrets are not just from environment > variable, or sys.config but taken from a different module. Perhaps its > possible to use the same sort of approach as with logging - batteries > included, override as needed? I've not done this before so tips are > welcome. > > A+ > Dave > > [1]: http://vaultproject.io/ > [2]: https://github.com/sasa1977/con_cache > [3]: http://erlang.org/doc/man/erlang.html#process_flag-3 > > -- > You received this message because you are subscribed to the Google Groups > "elixir-lang-core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elixir-lang-core/1488875563.761822.902936616.17E1418F%40webmail.messagingengine.com > . > For more options, visit https://groups.google.com/d/optout. > -- *José Valim* www.plataformatec.com.br Skype: jv.ptec Founder and Director of R&D -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4%2BQDVz7NGP5f%3DwfKsKD7kRN4wzAVEgjzDG%3DmE6fMduASA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
